New York Times hacked, Syrian Electronic Army takes credit
-
Mark Clayton Staff writer
Visitors to The New York Times website were greeted with blank browser screens for several hours on Tuesday, thanks to an attack claimed by the Syrian Electronic Army.
While the integrity of the Times鈥檚 website was not itself affected, those attempting to access that site through other servers around the world were redirected to Web addresses controlled by the SEA, several cybersecurity analysts told the Monitor.
At about the same time, Twitter and The Huffington Post UK edition were also the subject of cyberattacks apparently orchestrated by the SEA, according to Twitter accounts used by the SEA. Those attacks were confirmed separately by cybersecurity analysts contacted by the Monitor, who checked the SEA鈥檚 claims against Web addresses and Internet registrar sites.
Unlike the situation for the Times website, however, there were no immediately reported access problems for Twitter or Huffington Post users.
Analysts describe what happened to the Times as a DNS-type (or domain name system) attack. In such an attack, the website鈥檚 digital address is stolen from its rightful owner and then attached to a rogue site 鈥 in this case, the SEA home page, the analysts say.
鈥淲hat The New York Times is trying to do is get their property back,鈥 says John Bumgarner, a research director for the US Cyber Consequences Unit, a cybersecurity think tank. 鈥淭heir website address was essentially stolen, hijacked away from them 鈥 and now The New York Times is scrambling to get full ownership back.鈥
It was the second time this month the Times site has gone down for an extended period, with the first time being attributed to internal technical server issues. Moreover, a hacker group also calling itself the Syrian Electronic Army claimed responsibility for a cyberattack that affected The Washington Post鈥檚 and CNN鈥檚 websites on Aug. 15.
The SEA is a political hacktivist group that has the backing of Syrian President Bashar al-Assad.
The New York Times confirmed that its site was unavailable to readers on Tuesday afternoon following a hacking attack on the company鈥檚 domain name registrar, Melbourne IT. Times employees were required not to send any sensitive e-mails.
鈥淢arc Frons, chief information officer for The New York Times Company, issued a statement at 4:20 p.m. warning employees that the disruption 鈥 which appeared to still be affecting the Web site more than two hours later 鈥 was the result of an external attack by 鈥榯he Syrian Electronic Army or someone trying very hard to be them,鈥 鈥 the Times reported. 鈥淗e advised employees to 鈥榖e careful when sending e-mail communications until this situation is resolved.鈥
Most would-be viewers to the Times website, however, did not end up at the SEA website. Access to that site was apparently cut off by browser companies trying to assist the Times, some analysts suggested.
The way DNS works is that whenever a computer contacts a domain name like nytimes.com, it first has to contact its DNS server. The DNS server responds with one or more IP addresses where that computer can reach nytimes.com. Then the computer can connect to the Times website through that numerical IP address.
Put another way, DNS changes people-readable addresses like nytimes.com into computer-readable IP addresses like 鈥170.149.168.130.鈥
Just on Monday, visitors to Google鈥檚 Web page in the Palestinian territories 鈥 Google.ps 鈥 would have been redirected. Even though Google鈥檚 own service was not hacked, the DNS for the website was hijacked 鈥 by political hacktivists apparently protesting the labeling of some territory as Israeli on Google Maps. The attack was similar to the DNS hijacking of the Times website address, cybersecurity experts say.
鈥淲hile the [Google] attack wasn't major, nor did it affect Google's own services, I think it highlights a serious issue in Internet infrastructure,鈥 says Rodrigo Bijou, an independent cybersecurity consultant. 鈥淢ajor brands across all sectors need to secure domain names in foreign countries, and often the security of DNS registries is quite poor....聽 This was a basic protest attack by hacktivists, but more malicious actors could do the same with more serious consequences.鈥
Some analysts suggested that the attack on the Times might be a particularly dangerous variety called 鈥淒NS cache poisoning鈥 or 鈥淒NS spoofing.鈥 This exploits vulnerabilities in the DNS to redirect Internet traffic away from legitimate servers and toward fake sites.
One reason DNS poisoning is hazardous, Mr. Bijou and others say, is because it can spread from one DNS server to another around the world. One such DNS poisoning in 2010 resulted in the 鈥淕reat Firewall of China鈥 temporarily widening far beyond China鈥檚 borders.
However, other experts said that while there were signs of a DNS hijacking on Tuesday, the dangerous cache poisoning was not occurring. Also, there was no evidence of a suspected secondary distributed denial of service attack on the Times, according to experts at Arbor Networks in Burlington, Mass. A DDoS attack bombards a site with data to overwhelm servers and block user access.
"There has been no evidence of a DDoS attack being involved with the ongoing attacks against the New York Times,鈥 said Dan Holden, Arbor Networks director of security research, in a statement. 鈥淭here has also been no evidence of cache-poisoning being involved in this attack. This appears to be the latest in an ongoing series of registrar compromises.鈥
Wherever possible, he noted, organizations should ensure that their service providers adequately protect their DNS infrastructure from attack.
鈥淲e continue to see DNS infrastructure leveraged as a weak link and jumping off point for attacks,鈥 he said.
